Commit 5908a4c4 authored by Jakub Kicinski's avatar Jakub Kicinski
Browse files

Merge tag 'nf-next-23-07-27' of https://git.kernel.org/pub/scm/linux/kernel/git/netfilter/nf-next 

Florian Westphal says:

====================
netfilter updates for net-next

1.  silence a harmless warning for CONFIG_NF_CONNTRACK_PROCFS=n builds,
 from Zhu Wang.

2, 3:
Allow NLA_POLICY_MASK to be used with BE16/BE32 types, and replace a few
manual checks with nla_policy based one in nf_tables, from myself.

4: cleanup in ctnetlink to validate while parsing rather than
   using two steps, from Lin Ma.

5: refactor boyer-moore textsearch by moving a small chunk to
   a helper function, rom Jeremy Sowden.

* tag 'nf-next-23-07-27' of https://git.kernel.org/pub/scm/linux/kernel/git/netfilter/nf-next:
  lib/ts_bm: add helper to reduce indentation and improve readability
  netfilter: conntrack: validate cta_ip via parsing
  netfilter: nf_tables: use NLA_POLICY_MASK to test for valid flag options
  netlink: allow be16 and be32 types in all uint policy checks
  nf_conntrack: fix -Wunused-const-variable=
====================

Link: https://lore.kernel.org/r/20230727133604.8275-1-fw@strlen.de


Signed-off-by: default avatarJakub Kicinski <kuba@kernel.org>
parents bb85e12f 86e9c9aa

include/net/netlink.h

+3 −7
Original line number Diff line number Diff line
@@ -376,11 +376,10 @@ struct nla_policy { 
	{ .type = NLA_BITFIELD32, .bitfield32_valid = valid }



#define __NLA_IS_UINT_TYPE(tp)					\

	(tp == NLA_U8 || tp == NLA_U16 || tp == NLA_U32 || tp == NLA_U64)

	(tp == NLA_U8 || tp == NLA_U16 || tp == NLA_U32 ||	\

	 tp == NLA_U64 || tp == NLA_BE16 || tp == NLA_BE32)

#define __NLA_IS_SINT_TYPE(tp)						\

	(tp == NLA_S8 || tp == NLA_S16 || tp == NLA_S32 || tp == NLA_S64)

#define __NLA_IS_BEINT_TYPE(tp)						\

	(tp == NLA_BE16 || tp == NLA_BE32)



#define __NLA_ENSURE(condition) BUILD_BUG_ON_ZERO(!(condition))

#define NLA_ENSURE_UINT_TYPE(tp)			\
@@ -394,7 +393,6 @@ struct nla_policy { 
#define NLA_ENSURE_INT_OR_BINARY_TYPE(tp)		\

	(__NLA_ENSURE(__NLA_IS_UINT_TYPE(tp) ||		\

		      __NLA_IS_SINT_TYPE(tp) ||		\

		      __NLA_IS_BEINT_TYPE(tp) ||	\

		      tp == NLA_MSECS ||		\

		      tp == NLA_BINARY) + tp)

#define NLA_ENSURE_NO_VALIDATION_PTR(tp)		\
@@ -402,8 +400,6 @@ struct nla_policy { 
		      tp != NLA_REJECT &&		\

		      tp != NLA_NESTED &&		\

		      tp != NLA_NESTED_ARRAY) + tp)

#define NLA_ENSURE_BEINT_TYPE(tp)			\

	(__NLA_ENSURE(__NLA_IS_BEINT_TYPE(tp)) + tp)



#define NLA_POLICY_RANGE(tp, _min, _max) {		\

	.type = NLA_ENSURE_INT_OR_BINARY_TYPE(tp),	\

lib/nlattr.c

+6 −0
Original line number Diff line number Diff line
@@ -355,6 +355,12 @@ static int nla_validate_mask(const struct nla_policy *pt, 
	case NLA_U64:

		value = nla_get_u64(nla);

		break;

	case NLA_BE16:

		value = ntohs(nla_get_be16(nla));

		break;

	case NLA_BE32:

		value = ntohl(nla_get_be32(nla));

		break;

	default:

		return -EINVAL;

	}

lib/ts_bm.c

+30 −13
Original line number Diff line number Diff line
@@ -55,6 +55,24 @@ struct ts_bm 
	unsigned int	good_shift[];

};



static unsigned int matchpat(const u8 *pattern, unsigned int patlen,

			     const u8 *text, bool icase)

{

	unsigned int i;



	for (i = 0; i < patlen; i++) {

		u8 t = *(text-i);



		if (icase)

			t = toupper(t);



		if (t != *(pattern-i))

			break;

	}



	return i;

}



static unsigned int bm_find(struct ts_config *conf, struct ts_state *state)

{

	struct ts_bm *bm = ts_config_priv(conf);
@@ -74,17 +92,16 @@ static unsigned int bm_find(struct ts_config *conf, struct ts_state *state) 
		while (shift < text_len) {

			DEBUGP("Searching in position %d (%c)\n",

			       shift, text[shift]);

			for (i = 0; i < bm->patlen; i++) 

				if ((icase ? toupper(text[shift-i])

				    : text[shift-i])

					!= bm->pattern[bm->patlen-1-i])

				     goto next;



			i = matchpat(&bm->pattern[bm->patlen-1], bm->patlen,

				     &text[shift], icase);

			if (i == bm->patlen) {

				/* London calling... */

				DEBUGP("found!\n");

				return consumed + (shift-(bm->patlen-1));

			}



next:			bs = bm->bad_shift[text[shift-i]];

			bs = bm->bad_shift[text[shift-i]];



			/* Now jumping to... */

			shift = max_t(int, shift-i+bs, shift+bm->good_shift[i]);

net/netfilter/nf_conntrack_netlink.c

+2 −6
Original line number Diff line number Diff line
@@ -1321,13 +1321,9 @@ static int ctnetlink_parse_tuple_ip(struct nlattr *attr, 
	struct nlattr *tb[CTA_IP_MAX+1];

	int ret = 0;



	ret = nla_parse_nested_deprecated(tb, CTA_IP_MAX, attr, NULL, NULL);

	if (ret < 0)

		return ret;



	ret = nla_validate_nested_deprecated(attr, CTA_IP_MAX,

	ret = nla_parse_nested_deprecated(tb, CTA_IP_MAX, attr,

					  cta_ip_nla_policy, NULL);

	if (ret)

	if (ret < 0)

		return ret;



	switch (tuple->src.l3num) {

net/netfilter/nf_conntrack_proto_dccp.c

+2 −0
Original line number Diff line number Diff line
@@ -69,6 +69,7 @@ 


#define DCCP_MSL (2 * 60 * HZ)



#ifdef CONFIG_NF_CONNTRACK_PROCFS

static const char * const dccp_state_names[] = {

	[CT_DCCP_NONE]		= "NONE",

	[CT_DCCP_REQUEST]	= "REQUEST",
@@ -81,6 +82,7 @@ static const char * const dccp_state_names[] = { 
	[CT_DCCP_IGNORE]	= "IGNORE",

	[CT_DCCP_INVALID]	= "INVALID",

};

#endif



#define sNO	CT_DCCP_NONE

#define sRQ	CT_DCCP_REQUEST